When you open a website on the Internet, you issue an open invitation to everybody to come in and have a look. Some of the visitors are nice who appreciate what you do, but some might not be so pleased. There can be hackers, dirty competition, or plain jealous folk who would be too happy to take you down, and sometimes it’s easier than you imagine.
One of the most common attacks on Internet websites is through SQL Injection. In this technique, hackers try to modify or delete your SQL database by feeding your website evil SQL command masquerading as valid SQL code. It’s sometimes easier to do this then you think. If you’re using querystrings, or asking your users to put in input, it can be potentially used against you.
Here’s a scenario: You’ve got a great online products catalog, and you let users search through it. You’ve got a box on your main page in which users can type the product names. You’re using a standard sql query to conduct a search. Something that looks like this: -
SELECT * FROM Products WHERE Prod_Name = ‘MyProd’
Instead of typing in the product name, a hacker can just add some malicious sql code, and can potentially modify your data. This is SQL Injection. Injecting SQL code where you expect other values and taking you out by surprise. It’s a sneaky attack of the lowest form.
So how can you protect your website against the spineless crud?
There are many solutions, and you should have multiple levels of protection to maximise your security.
1. Limit input as much as possible. Try to use combo boxes, or lists instead of text boxes whenever you can.
2. Put in an upper limit on the number of characters. If you’re expecting an input of only 20 chars, don’t accept 200 chars.
3. Validate the input. If you’re expecting only numbers, don’t accept alphanumeric input. Similarly, if you don’t need things like apostrophes, asterisks, (can be used dangerously in sql code), don’t accept them, or remove them.
4. Monitor for dangerous input. If you’re particularly susceptible, or suspect that someone is out to hurt your website, search your input for dangerous keywords like DELETE, UPDATE, etc.
5. Don’t make your database field obvious. Never, never show your database field in your query string. I.e. avoid having a querystring like this: ‘http://www.mywebsite?ProductID=23′. Don’t name your query string variable ‘ProductID’ in the case above, cause it’s obvious that’s your database field name as well.
6. If you’re using MS Sql, you’re luckier, cause Microsoft has some in-built security in MS Sql that prevents unauthorised sql code from running when it suspects there’s something wrong.
7. Must use SQL Parameters. This is probably the most important tip I can give you. Don’t just attach your argument variables at the end of a literal sql string. I know it needs more lines, but use SQL parameters anyway. This makes sure that the input conforms to your required data type, and prevents malicious code.
That’s what I can think of for now. If you can add anything, do suggest.